The maximum penalty is $5,000 per violation, and prosecutors said 852 people in Washington, DC, downloaded the app. However, approximately 340,000 people had data collected from them because they were friends with the initial downloaders. This means Facebook could potentially face a fine of $1.7 billion.

Attorney General Karl Racine said Facebook was responsible because of its lax oversight and misleading privacy settings.

“Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used,” Racine said. “Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission. Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.”

There were a few key ways the AG believes Facebook harmed its users, according to the complaint. First, prosecutors allege that Facebook misled its users about the security of their data. They also say Facebook failed to monitor the way third-party apps used data.

In addition, the complaint says that Facebook became aware of the data breach in 2015 but did not inform users until 2018. Prosecutors also allege that the social media company didn’t do enough to ensure the data was deleted after it found out. Finally, Facebook is accused of not telling users that some companies could override privacy settings.

Facebook stated it had received the complaint.

“We’re reviewing the complaint and look forward to continuing our discussions with attorneys general in DC and elsewhere,” a Facebook spokesperson said.